You are on page 1of 25

SAP HANA 1.

0
Security & Authorizations
User & Roles Management

4/18/15

param.th.2009@gmail.com

4/18/15

param.th.2009@gmail.com

User and Role Concept

4/18/15

param.th.2009@gmail.com

User Management and Security

User Provisioning and User Management


Security Details Types of Privileges
Template Roles for Typical Use Cases

4/18/15

param.th.2009@gmail.com

User Provisioning and User Management

Creating Users in HANA


Actual Database Users
Create via SAP HANA Studio
Or using standard SQL statements
Authentication Methods
User / Password
Set up and manage passwords using
SAP HANA Studio or SQL
Kerberos Authentication
Certificate-based
Requires Named User in HANA DB

4/18/15

param.th.2009@gmail.com

4/18/15

param.th.2009@gmail.com

Managing Users and Roles


Step-by-step overview

4/18/15

param.th.2009@gmail.com

Creating / managing roles


In SAP HANA Studio

4/18/15

param.th.2009@gmail.com

Using SQL Syntax


Run the following statement:
CREATE ROLE <ROLE_NAME>;

4/18/15

param.th.2009@gmail.com

Assign Privileges to Roles

4/18/15

param.th.2009@gmail.com

10

Assign Privileges to Roles

4/18/15

param.th.2009@gmail.com

11

Creating Users
Using SAP HANA Studio
Define the initial password (user/password)
Or define the external User ID (e.g. Kerberos) - SSO

4/18/15

param.th.2009@gmail.com

12

Creating Users
Using SQL Syntax
CREATE USER <user_name> IDENTIFIED BY <initial_password>;
CREATE USER <user_name> IDENTIFIED EXTERNALLY AS 'user@domain';
To set the Session Client parameter for the user:
ALTER USER <user_name> SET PARAMETER CLIENT='<client>';

4/18/15

param.th.2009@gmail.com

13

4/18/15

param.th.2009@gmail.com

14

Grant Role to User


Using HANA Studio:

4/18/15

param.th.2009@gmail.com

15

Grant Role to User


Using SQL Statements:

Enter the following SQL statement:


GRANT <role_name> TO <user_name>;
To also allow granting the role:
GRANT <role_name> TO <user_name> WITH GRANT OPTION;

4/18/15

param.th.2009@gmail.com

16

Revoke Role from User


Using Studio:

Click the icon

4/18/15

param.th.2009@gmail.com

17

User Management
Useful SQL Statements
Check history of invalid connect attempts for a given user:
SELECT * FROM INVALID_CONNECT_ATTEMPTS WHERE USER_NAME = '<name>';
Reset counter of invalid connection attempt for a given user (required to unlock user):
ALTER USER <name> RESET CONNECT ATTEMPTS;
Force a given user to change their password:
ALTER USER <name> FORCE PASSWORD CHANGE;
Deactivate a given user:
ALTER USER <name> DEACTIVATE USER NOW;
To re-activate a user that has been deactivated, change the users password (as
administrator [System privilege USER ADMIN])
ALTER USER <name> IDENTIFIED BY <new password>;
Exempt a given user from password lifetime rule:
ALTER USER <name> DISABLE PASSWORD LIFETIME;

4/18/15

param.th.2009@gmail.com

18

SECURITY DETAILS TYPES OF PRIVILEGES

4/18/15

param.th.2009@gmail.com

19

Types of Privileges in HANA

1. System Privileges

E.g USER ADMIN; CREATE TABLE;

2. SQL Privileges

E.g. SELECT ON <table>; DROP ON <schema>

3. Analytic privileges

E.g. see only data for cost center 1000

4. Package privileges

E.g. edit / activate data models in package xyz

4/18/15

param.th.2009@gmail.com

20

Analytic Privileges : Concept

Analytic Privileges are used to control access to SAP HANA data


models
Without Analytic Privilege, no data can be viewed from
Attribute Views
Analytic Views
Calculation Views
Implement row-level security with Analytic Privileges
Restrict access to a given data container to selected Attribute Values
Field from Attribute View
Field from Attribute View used in Analytic View
Private Dimension of Analytic View
Attribute field in Calculation View
Combinations of the above
Single value, range
4/18/15

param.th.2009@gmail.com

21

Create Analytic Privilege

*** Activated Analytic Privileges belong to _SYS_REPO ***

4/18/15

param.th.2009@gmail.com

22

Package Privileges are Object Privileges


Reading the list of views inside of a package: REPO.READ
Creation of views inside of a package: REPO.EDIT_NATIVE_OBJECTS
Modification of views inside of a package: REPO.EDIT_NATIVE_OBJECTS
Reading view definitions inside of a package: REPO.READ
Activation of views inside of a package: REPO.ACTIVATE_NATIVE_OBJECTS
Creation of sub-packages inside of a package
REPO.MAINTAIN_NATIVE_PACKAGES

Granting Package Privileges (via SQL):


GRANT <privilege> ON "<package>" TO <user/role>;

4/18/15

param.th.2009@gmail.com

23

Template Roles for Typical Use Cases

What kind of roles might be created:


1. ADMINISTRATOR:
Users that set up the system, create other roles, users,
2. DEVELOPER
Users who create data models, activate models, import/export,
3. INFORMATION CONSUMER
User who is allowed to read from certain views

4/18/15

param.th.2009@gmail.com

24

4/18/15

param.th.2009@gmail.com

25